Command Line Programs for Managing Audited Sessions
This section provides an overview of the command line interface that you can use to manage audited computers. For complete reference information about the required and optional parameters for each command, see the man page provided locally on the Server Suite-managed computer.
How to Use Command Line Programs
Command-line programs allow you to perform administrative tasks directly from a UNIX shell or by using a shell script. These programs are installed when you install the Delinea Agent for *NIX, and are installed by default in the following directories:
-
/usr/sbin
-
/usr/bin
You can use the UNIX command-line programs to take action directly on a local UNIX computer, for example to enable or disable auditing manually on a local computer. You can also use these programs to perform administrative or diagnostic tasks when it is more convenient to run them on the UNIX computer than through Audit Manager. For example, you might find it more convenient to view details about the agent configuration or diagnostic information directly on a local computer rather than through Audit Manager or the Agent Control Panel.
Displaying Usage Information and Man Pages
You can display a summary of usage information for any UNIX command-line program by typing the command plus the --help or -h option. For example, to see the usage information for the dacontrol command:
dacontrol --help
For more complete information about any command, read the command’s man page. For example, to see the man page for the dacontrol command, type:
man dacontrol
Using Commands for Administrative Tasks
The command-line programs allow you to perform administrative tasks—such as enable or disable shell auditing on UNIX computers or generate diagnostic information—directly on an audited computer. The following table provides a summary of the auditing-related programs installed with the Delinea Agent for *NIX and the Delinea Client for Linux audit package. For complete information about the syntax and options for any command, see the man page for that command.
| Use this command | To do this |
|---|---|
| dacheck | The dacheck command performs operating system, network, and Active Directory tests to verify a computer meets the system requirements for a successful installation. For example, the install.sh script runs the dacheck program. The dacheck command is located in the same place as the adcheck command: /usr/share/centrify/dc/bin. |
| dacontrol | Enable or disable session or individual command auditing on a computer. You can also use this command to manually configure the audit installation to use for a local computer if you are not identifying the installation by group policy. Only users with root privileges can run the dacontrol command. {b}Note: {/b}If the audited system is not joined to Active Directory and it is audited by way of the Delinea Client for Linux, you cannot change the audit installation with the dacontrol command. |
| dad | Start the dad process manually. The dad process records terminal activity on the UNIX computer and transfers the data to a collector. In most cases, it is automatically started when the computer is first booted. However, you can run this command to manually start the audit process on a local computer. Only users with root privileges can run the dad command. |
| dadebug | Enable or disable logging for the dad process on an audited computer. If you enable logging, the dad process writes messages to the /var/log/centrifydc.log file. If you run dadebug without specifying an option, the command returns a status message that indicates whether logging is currently enabled or disabled. Only users with root privileges can run the dadebug command. |
| dadiag | Display detailed information about the configuration and current auditing status for a local computer. This command displays the same information as dainfo --diag. |
| daflush | Clear the auditing service in-memory cache of name service queries and installation information. If you run this command without any arguments, it removes both auditing-related name service query results and audit installation information from the in-memory cache. If you run this command with no arguments or specify the nameservice option, the command also automatically clears the cache for common name services—such as nscd and pwgrd—if those services are running on the local computer. Clearing the cache of name service query results is useful if you make changes that would affect the results of a name service query, and want to ensure you get updated information. For example, if you remove the UNIX Login role for an Active Directory user, some information for that user might remain in the auditing service cache and be returned when you run a command such as getent passwd for that user. You can run daflush to ensure the user is removed completely from the local computer cache, including the auditing service cache. Only users with root privileges can run the daflush command. |
| dainfo | Display detailed information about the status and configuration of an audited computer. |
| dareload | Force the dad process to reload configuration properties from the /etc/centrifyda/centrifyda.conf file or the advanced monitoring properties from /etc/centrifyda/libaudit.conf. This command enables you to apply configuration changes without restarting the agent. Only users with root privileges can run the dareload command. |
| dashellfix.sh | Reset shells to their source shell on computers that are not being audited in an audited zone. On audited computers, the cdash shell is used to capture and forward audit data instead of the original shell. This script enables you to restore the user’s original shell choice if the auditing service and wrapper shell are removed. |
| daspool | Display information about the size and content of the auditing-related offline cache (spool) files. If an audited computer cannot contact a collector service, it caches session, audit trail, and other information locally until a collector becomes available. This command enables you to review information about these offline cache files. Only users with root privileges can run the daspool command. |
Configuring Duplicate Audit Session Cleanup
Sometimes the auditing service records duplicate sessions if your auditing installation includes one or more UNIX computers where both of the following situations occur:
-
The DirectAudit agent is installed.
-
A user can log in to the computer from the Admin Portal and the cloud tenant is enabled for auditing.
To avoid this situation, add the following environment variable to your /etc/centrifydc/ssh/sshd_config file:
AcceptEnv centrify_cip_da_data
Note that the above /etc/centrifydc/ssh/ path applies if you're using the Delinea OpenSSH server. If you're using a different SSH server, the file path may be different-- so be sure to update the appropriate SSH daemon configuration file for your system.
With the environment variable set, the agent uses that to verify the SSH public key of the associated tenant. That way the auditing service can determine which sessions are duplicated and remove them. Also, the agent on the UNIX computer will no longer record sessions that originate from the Admin Portal on the same computer.
Downloading the Tenant SSH Public Key
There's a script called dadownloadsshpublickey.tcl that downloads the tenant's SSH public key. With the public key and the centrify_cip_da_data environment variable, the auditing service can determine which audit sessions are duplicates and remove them.
The agent installer puts this tcl script into /usr/bin, except for CoreOS systems where the installer puts the script into /opt/centrify/bin. This script requires root privilege to run. The output file specified by dad for the script is /var/centrifyda/tenant_rsa.pub.
If da fails to download the public key or if you need to change the public key after da has started, you can manually run this tcl script.
/usr/bin/dadownloadsshpublickey.tcl --output-file /var/centrifyda/tenant_rsa.pub
Use the following options when you run this script:
-
--cip, --i <cloud tenant URL>
This option is optional.
If the computer is not joined to the domain currently, use this option to specify the cloud tenant URL. If you don't use this option, the script finds the URL automatically if the computer is joined to the domain.
-
--output-file, -o <file>
This option is required.
Use this option to specify the output filename for the tenant's SSH public key. This file must be in a parent directory that is writable by root only and the directory cannot be a symlink.
